Kusto Team Cymru Table

Description

This data from Team Cymru is a threat intelligence feed from their full bogons IPv4 list. It can be used to further enhance Threat Intelligence with an additional source.

Source

https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
https://team-cymru.com/

Why should I use this data?

It is a high fidelity data source and can aid investigations and alerting.

Updates

Daily at around 0300UTC. The source data may or may not be updated as regularly.

Perma Link

https://firewalliplists.gypthecat.com/lists/kusto/kusto-teamcymru.csv.zip

Base Kusto Table

externaldata (Source:string, CIDR:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-teamcymru.csv.zip'] with (ignoreFirstRecord=true)

Base Kusto Function

let TeamCymru = (externaldata (Source:string, CIDR:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-teamcymru.csv.zip'] with (ignoreFirstRecord=true));

Self Contained Kusto


// Test randomly generated IP addresses
//*** Variables start
let NumberOfIPsToTest = 10000;
//*** Variables end
let TeamCymru = (externaldata (Source:string, CIDR:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-teamcymru.csv.zip']
with (ignoreFirstRecord=true));
let IPsTesting = materialize(
range Position from 1 to (NumberOfIPsToTest) step 1 //Generate x random IP Addresses for testing
| extend IpAddress = strcat(toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255)), '.', toint(rand(255))));
IPsTesting
| evaluate ipv4_lookup (TeamCymru, IpAddress, CIDR, return_unmatched=false) //Show only results that hit otherwise change to true
| where Source !startswith('RFC')


// How many IP Addresses are in the Team Cymru data?
let TeamCymru = (externaldata (Source:string, CIDR:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-teamcymru.csv.zip']
with (ignoreFirstRecord=true));
TeamCymru
| where Source !startswith('RFC')
| extend NumberOfIPs = pow(2, 32 - toint(split(CIDR, '/')[-1]))
| summarize TotalNumberOfIPs = sum(NumberOfIPs)


// Check specified IP addresses against Team Cymru data
// *** Variables start
let IPsOfInterest = dynamic(['8.8.8.8', '1.1.1.1']); //Enter IP Addresses you wish to lookup
// *** Variables end
let TeamCymru = (externaldata (Source:string, CIDR:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-teamcymru.csv.zip']
with (ignoreFirstRecord=true));
print IpAddress = IPsOfInterest
| mv-expand IpAddress to typeof(string)
| evaluate ipv4_lookup (TeamCymru, IpAddress, CIDR, return_unmatched=true) //Show empty results otherwise change to false

Microsoft 365 Defender Example


// What connections have we seen to or from the Team Cymru dataset
let TeamCymru = (externaldata (Source:string, CIDR:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-teamcymru.csv.zip'] with (ignoreFirstRecord=true));
DeviceNetworkEvents
| where RemoteIPType == 'Public'
| summarize by RemoteIP
| evaluate ipv4_lookup(TeamCymru, RemoteIP, CIDR, return_unmatched=false)
| join kind=leftouter (DeviceNetworkEvents) on RemoteIP

Sentinel & Azure Log Analytics Example

Coming soon.